For network access control, the most ubiquitous form of security protection is the firewall. A firewall is a way, in computing, to allow or deny the transmission of data to or from a device. FIG. 1 shows a device accessing a network through a conventional firewall to illustrate how a traditional firewall works. An example of a traditional firewall is iptables, which is included with the Linux operating system
There are many different types of firewalls (client side, server side, packet based, socket based, application aware, or stateless), but the key characteristic of all conventional firewalls is that they operate on the notion of the source or destination address and/or the source or destination port number specified in a data packet. A data packet is a piece of data that has been formatted properly with the appropriate addresses and information necessary so that it can be routed to its intended destination with a data payload across a network or series of networks.
An address in networking is commonly referred to as an IP Address, where IP stands for Internet Protocol. There are two versions of IP used today IPv4 (whose address space just ran out) looks like 192.168.1.1 and IPv6 (a new variant of IP that has had slow uptake) looks like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. Every machine on the internet receives an IP address (whether private or public); this is the main way that machines are able to locate other machines in a network in order to send and/or receive data. On each device, an application or series of applications are responsible for sending and/or receiving data packets. Data is routed to the IP address that corresponds to a machine; however where it goes once it gets to the machine is a decision that is up to the port number being used. The port number can be thought of as the individual apartments at an apartment complex, where the IP address is the address of the building and each apartment is a port number, and the applications are the residents in the apartments. A port number can only be used by one application at any time on the same device. The port number is bound to the connection (socket) until the connection is terminated, at which point the port number is allowed to be recycled. IP addresses and port numbers make up the core components of a single firewall rule.
Typically, network access control has been handled by a firewall either on the device or somewhere else in the network. Yet, a problem with conventional firewalls is that granularity of the firewall (for example iptables) is limited. That, is conventional firewalls provide coarse control, based on rules such as checking IP addresses, but are not well-suited for providing access control at finer layers of control.